Hardened toolchain

Mon, 21 Mar 2022 06:35:56 -0700 

Hi,

> I posted an initial message on help-guix about compiling a custom
> hardened gcc, but guix-devel is a better list to continue the
> discussion. I wanted to revisit compiling Guix packages with a
> hardened toolchain since many other distros do this to improve the
> security of their packages.

On help-guix, you mean this [1], right?

1: <https://yhetil.org/guix/mtzbl4o--...@tutanota.com/>


> Previous emails only mentioned passing hardening options to CFLAGS and
> LDFLAGS. Another important step is to compile features into GCC and
> binutils.  Specifically:

> * gcc can be compiled with `--enable-default-ssp --enable-default-pie`
> to enforce ssp and pic

You wrote [1]:

--8<---------------cut here---------------start------------->8---
(define-public gcc
  (package
    (inherit gcc)
    (arguments
     (substitute-keyword-arguments (package-arguments gcc)
     ((#:configure-flags flags
       `(append (list "--enable-default-ssp" "--enable-default-pie")
            ,flags)))))))
--8<---------------cut here---------------end--------------->8---

and from my understanding, it can lead to name clash because the symbol
'gcc' (define-public gcc) and the symbol 'gcc' (inherit gcc) are the
same but does not refer to the same thing.

Instead, let define as gcc-hardened or whatever else than 'gcc'.  Note
that it could be better to define a procedure taking a GCC package and
returning it with "hardened" options.  Untested,

--8<---------------cut here---------------start------------->8---
(define (make-gcc-hardened gcc)
  (package
    (inherit gcc)
    (arguments
     (substitute-keyword-arguments (package-arguments gcc)
     ((#:configure-flags flags
       `(append (list "--enable-default-ssp" "--enable-default-pie")
            ,flags)))))))

(define-public gcc-hardened
  (make-gcc-hardened gcc))
--8<---------------cut here---------------end--------------->8---

This way, it becomes easy to also get GCC@7 using such options.


> * binutils can be compiled with `--enable-relro --enable-pic` to
> enforce relro and pic

Yes.  Indeed, you need to adapt various tools from "gcc-toolchain" with
these hardened options.


> I'm not a toolchain expert by any means, but I think this is a good
> first step in improving Guix package security.

Once you have a new hardened gcc-toolchain, then you can use a package
transformation (with-c-toolchain) and recompile all the graph using this
new hardened gcc-toolchain for the packages you are interested in.

Include such and provide binary substitutes is another question. :-)
(maintenance burden, etc.)


Hope that helps

Cheers,
simon
  • Hardened toolchai... Development of GNU Guix and the GNU System distribution.
    • Hardened too... zimoun
      • Re: Hard... zimoun
        • Re: ... Development of GNU Guix and the GNU System distribution.
          • ... Development of GNU Guix and the GNU System distribution.
            • ... zimoun
              • ... Development of GNU Guix and the GNU System distribution.
                • ... Development of GNU Guix and the GNU System distribution.
                • ... zimoun
      • Re: Hard... Maxime Devos

Reply via email to